CloudBees Security Advisory 2020-05-26
This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.
Open Redirect vulnerability in Authentication Mechanism in SSO
As part of the SSO process, the CloudBees Jenkins Operations Center (CJOC) redirects the user to the Master URL to finish the SSO process. The Master was vulnerable to Host Header injection, leading to an Open Redirect vulnerability which may allow an attacker to steal a victim's SSO session.
This issue is due to an incomplete fix of CTR-1098, announced in 2020-03-09 and wrongly called "CSRF in Authentication Mechanism in SSO". The vulnerability was not CSRF, but Open Redirect.
Masters now only support SSO requests from Hosts (or X-Forwarded-Host) matching the configured Jenkins Root URL. Any attempt to use a different URL will redirect to the configured Jenkins Root URL.
This can be disabled in the Operations Center by setting the property `com.cloudbees.opscenter.server.sso.SSOConfiguration.masterRootURLStrictCheckingDisabled=true`, but will make the product insecure, so it should only be used as a temporary workaround.
CloudBees Traditional Platforms should be upgraded 22.214.171.124
CloudBees Cloud Platforms should be upgraded 126.96.36.199
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 188.8.131.52
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 184.108.40.206
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 220.127.116.11.2 rev3